Password Management

May 19, 2015 • Jan Seeger

playground

android

linux

security

pgp

While some argue the era of passwords is over and others that we should set a random password and rather use the password recovery email as login mechanism, some depend on cloud-based password management services like LastPass or 1Password. For this to work you have to trust them to have properly done their homework regarding encryption. Even then they could put you into a place you don’t want to be (for instance spontaneously decide to require access to your contacts or SMS) and you’d have to either allow that or stop using their service.

After switching, from Android as my main OS, back to Linux I needed a solution that worked on both platforms. Preferably one that even works on the other platforms I occasionally encounter, like Windows and OS X.

Initially I tried porting my current password manager to the Desktop using Google’s Arc Welder but the app crashed as soon as the encrypted database was imported or accessed. Ultimately I ended up migrating my password database to Pass instead.

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

I like how simple this approach really is: The database is just a text file containing your password encrypted to your own PGP key. Just in case, you could even omit pass altogether and access the raw files using stock GnuPG tools.

This simplicity allows you to easily syncronize between different systems and platforms using your tool of choice or rsync. Heck, you could even use a cloud-based file synchronisation service like Dropbox and still know your files are safely encrypted.

The only remaining issue I have: What happens if one replaces their PGP-Key? You’d have to decrypt all files and re-encrypt them using the new key. While it is not urgent right now, it still would be good to have a working migration script handy.
Just in case.